Is your code secure? Use this FREE tool (CodeSec) to find out: bit.ly/3tcPUQx TOOLS USED IN THIS VIDEO --------------------------------------------------- - AMASS: github.com/OWASP/Amass (find subdomains) -TakeOver: github.com/m4ll0k/takeover (subdomain takeover vulnerability scanner) -Dig (apt install dig) 🔥🔥Join Hackwell Academy!: ntck.co/NCAcademy 0:00 ⏩ Intro 0:18 ⏩ How subdomain takeover works 1:59 ⏩ Why Subdomain takeovers are dangerous 2:33 ⏩ Make sure your code is secure using codesec! 4:06 ⏩ find our targets subdomains using Amass 5:06 ⏩ The username is not available 5:57 ⏩ IT actually worked!! 6:17 ⏩ Once you’re in github… 6:58 ⏩ The same thing can happen with Azure 7:45 ⏩ so how do you protect your website
Do you have any recommendations for someone who bought a new computer and the staples set it up in a bad way with admins and a fake windows defender that I can’t seem to figure out how to fix. I have Apache licenses and open sources and all of this stuff I have no idea how to fix. Thoughts?
This goes even deeper... you own a DNS name and then abandon it after several years... (perhaps an unforeseen event or your start-up fails)... Some 3rd party eventually purchased my old domain and used the way back machine to re-create the website... WARNING... think hard before abandoning a domain name!
I don't get it, if the website is deployed from github, why would you ever delete your github account? You would have probably switched to another repo or just uploaded the files directly to your server before you delete your account while your website is still dependent on it. I also don't understand why this is only a vulnerability with subdomains.
Guys, question. If you have control of the main domain and delete the entry for the subdomain that was took over, that would be the end off correct? Or is there a way to take full control of asub domain regardless of the main domain DNS records?
@@LuminousWhispers11 thanks Rashad, do you know why some people claim bounty rewards to give subdomain back if it's as easy as deleting the record on root? That's what confuses me
The worst part of this...as an end user, there is really no way of knowing if this happened. You can get an SSL certificate for the redirected subdomain, which means HTTPS will work fine.
i feel like this video was inspired by the "Avoiding DNS Pain" NDC talk that was uploaded 3 weeks ago. they cover this exact problem and also one solution (basically DNS as code like infrastructure as code).
This happens all the time even for large companies including microsoft, amazon, walmart, etc that people use subdomains to send spam mail from the main domain from the actual company making hard to block spam mail because you can't just block the email address or the domain because you might actually want email from the actual company. Most email services don't allow blocking subdomains only email addresses themselves or primary domains. So people just make infinite amounts of sub domains for the primaries of an actual companies domains making it hard to block spam. At times it almost feels like the spammer have hacked the mail servers themselves and using it to spam and it's even funner when they are able to send spam mail out with no email address at all because the servers don't check to see is the account sending actually exist or even cares if the send mail is blank. It's even more fun when some emails services have auto avatar and names loading that get associated with the spammers email making it even look more like a real email. It's kind of hard for me to explain this lol.
For my company, our security requires any external facing sub domains can only be on 443, no 80 or re-directs like this shown. The owner has the attest to it and put new certs every 90 days and we monitor all external facing URL's. This is a serious open window that a lot of corporations do not even bother to worry about. But I'm glad I work with and lead one of the best IT security teams in my industry where we are constantly 5 steps further then what is required for our various regulations (PCI/ISO/SEC/FRB/etc...)
No you would have to use a CNAME in this case since you do not have IP access to Github's servers to redirect your site when requests are received for your subdomain. However, if you simply delete he CNAME in your DNS config, the crisis will be averted.
Nice video, just a question. If you have control of the main domain and delete the entry for the subdomain that was took over, that would be the end off correct? Or is there a way to take full control of asub domain regardless of the main domain DNS records?
There are actually some commercial vendors that do monitor for this kind of stuff (RiskIQ being one), it's not cheap, but it does do a decent job of detecting this.
It just misses the point on why this can be so effective - if the original creator of the website links it IN his website, it's legit in the eyes of end-user and little to no precaution is taken.
I don't know how that works precisely, but wouldn't they have to have valid SSL certificates? They could likely get one easy enough, but even for my small domain I get warnings of certificates are issued, so I'd notice if an certificate is issued without it being from me or my services. EDIT: Yup, going by you completing a DNS Challenge you had to get a certificate so that'd protect me. Also I don't point any of my subdomains to some route out of my control, so even not looking for certificates I should be fine as long as that's the case. And even if I do that, these will be the only kind of subdomains attack able with that exploit.
I think the way he showed it from here, you will be using GitHub's certificate? because he points your website to a GitHub website. If you want to know, you can follow his method to find out.
Its always DNS when something bad happens... when there is access issues, its always the network... ALWAYS!!! when I call our NOC "Oh, thats odd, just a second... okay I didnt find anything wrong, can you try again?" "wth its working now!??!" "Yeah, there was nothing over here, musta been a bug on your side" This is every convo with a network admin ever... they always fix a little mistake they found but never fess up to it...
ANM27T at less than $1. is like BTC at $100. When ANM27T finally blows it's gonna be epic.
2 ปีที่แล้ว
This week is hell and a bloodbath can happen but why we don't discuss the fact that Amazon also released their ANM27T in it? Always two sides of a coin
Something happen same, I was deleted my insta account but next mont i realized that someone could access it and following a lot of people I don't know. i don't know what i should do in this case😪
@NetworkChuck - You mention this is untraceable a few times. Off the top of my head, you could get insight via: 1) DNS Token canary (alert when hostname is requested). 2) URL Token canary (alert when URL is visited). Q - Any way to mitigate this with server side permissions or CloudFlare ? I used a PDF canary to track a document (as there was a suspected bad actor) and was able to then get public IP's and some geo data from the WAN they were connected to when opening the document. Proved the suspicion, and then the Executives got talking to the lawyers / police etc.
Dnssec wouldn't protect against this. The problem is that the name server trusts the website because the owner inputed that in. Since the name server trusts it, all dns servers would also trust it. Even if they use dnssec.
Is your code secure? Use this FREE tool (CodeSec) to find out: bit.ly/3tcPUQx
TOOLS USED IN THIS VIDEO
---------------------------------------------------
- AMASS: github.com/OWASP/Amass (find subdomains)
-TakeOver: github.com/m4ll0k/takeover (subdomain takeover vulnerability scanner)
-Dig (apt install dig)
🔥🔥Join Hackwell Academy!: ntck.co/NCAcademy
0:00 ⏩ Intro
0:18 ⏩ How subdomain takeover works
1:59 ⏩ Why Subdomain takeovers are dangerous
2:33 ⏩ Make sure your code is secure using codesec!
4:06 ⏩ find our targets subdomains using Amass
5:06 ⏩ The username is not available
5:57 ⏩ IT actually worked!!
6:17 ⏩ Once you’re in github…
6:58 ⏩ The same thing can happen with Azure
7:45 ⏩ so how do you protect your website
Hey chuck (apt install dig) will not work 😊 its (apt install dnsutils)
hey your comment section is botted lol
Do you have any recommendations for someone who bought a new computer and the staples set it up in a bad way with admins and a fake windows defender that I can’t seem to figure out how to fix. I have Apache licenses and open sources and all of this stuff I have no idea how to fix. Thoughts?
Thanks for your video. I learns a lot and useful to my job.
This goes even deeper... you own a DNS name and then abandon it after several years... (perhaps an unforeseen event or your start-up fails)... Some 3rd party eventually purchased my old domain and used the way back machine to re-create the website... WARNING... think hard before abandoning a domain name!
Always remember kids - "It's only for educational purposes"
I don't get it, if the website is deployed from github, why would you ever delete your github account? You would have probably switched to another repo or just uploaded the files directly to your server before you delete your account while your website is still dependent on it. I also don't understand why this is only a vulnerability with subdomains.
because you cannot create CNAME records for root domains
You just have to delete the resource and not alter the dns records. Remember this was a demonstration.
Guys, question. If you have control of the main domain and delete the entry for the subdomain that was took over, that would be the end off correct? Or is there a way to take full control of asub domain regardless of the main domain DNS records?
@@777Yashobeamofchrist Yes, if you delete the dns records then no one can hijack the subdomain.
@@LuminousWhispers11 thanks Rashad, do you know why some people claim bounty rewards to give subdomain back if it's as easy as deleting the record on root? That's what confuses me
The worst part of this...as an end user, there is really no way of knowing if this happened.
You can get an SSL certificate for the redirected subdomain, which means HTTPS will work fine.
Remember kids ...
it's always DNS, always.
NetworkChuck: You'res could be next Me who dosent have money for domain: yes.
i feel like this video was inspired by the "Avoiding DNS Pain" NDC talk that was uploaded 3 weeks ago.
they cover this exact problem and also one solution (basically DNS as code like infrastructure as code).
This happens all the time even for large companies including microsoft, amazon, walmart, etc that people use subdomains to send spam mail from the main domain from the actual company making hard to block spam mail because you can't just block the email address or the domain because you might actually want email from the actual company. Most email services don't allow blocking subdomains only email addresses themselves or primary domains. So people just make infinite amounts of sub domains for the primaries of an actual companies domains making it hard to block spam. At times it almost feels like the spammer have hacked the mail servers themselves and using it to spam and it's even funner when they are able to send spam mail out with no email address at all because the servers don't check to see is the account sending actually exist or even cares if the send mail is blank. It's even more fun when some emails services have auto avatar and names loading that get associated with the spammers email making it even look more like a real email. It's kind of hard for me to explain this lol.
For my company, our security requires any external facing sub domains can only be on 443, no 80 or re-directs like this shown. The owner has the attest to it and put new certs every 90 days and we monitor all external facing URL's. This is a serious open window that a lot of corporations do not even bother to worry about. But I'm glad I work with and lead one of the best IT security teams in my industry where we are constantly 5 steps further then what is required for our various regulations (PCI/ISO/SEC/FRB/etc...)
Love your content.....keep doing great things!
I saw something recently call no-code programming. Can you give your perspective on it?
Just curious what is your input in the targets.txt file ?
Mr Beast Game sweatshirt 😂😂😂
btw. i love your videos!
There is somebody exploiting your number 2 before you had a chance to film. Proof positive that somebody is always trying to mess with your sh*t.
…that was quick. I am glad I grabbed my small coffee mug.
* Insert gif of Captain Holt saying “Bingpot!” here *
Nice new studio 🤩
Your new studio is nice .... but I like the previous one more😂😅
you are doing such a fabulous job 😜
What about a subdomain takeover with Fastly?
Yes but if you use A record instead of CNAME aren't you more safe?
No you would have to use a CNAME in this case since you do not have IP access to Github's servers to redirect your site when requests are received for your subdomain. However, if you simply delete he CNAME in your DNS config, the crisis will be averted.
Now I know the difference between real voice chuck and content creator chuck. BTW luv the videos !
How to run tool in kalilinux from any path ?
Nice video, just a question. If you have control of the main domain and delete the entry for the subdomain that was took over, that would be the end off correct? Or is there a way to take full control of asub domain regardless of the main domain DNS records?
Yes, they won't be able to use your domain name anymore. Unless your registered domain name is also controlled.
@@cxl520 thx xl c
he won't tell you. you need to pay. network cuck is useless. David Bombal is 10x better.
Super video Chuck Your videos are awesome And informative 👍🏿
Thanks for this vid! I have been looking into domain take over a bit recently and this really clears it up for me.
takeover moved or was deleted
Best prevention is to not have a website
Underrated comment
yes.
Or don't create cname entries in your dns record for domains that you don't control
🤔
Even better is to not be alive
Amazing video. Also can we get a kali Linux intro series
@networkchuck can you please make a video of your tools and gadgets?! We need to know. Like a tour of your desk :p
4:15 is all of us before we found you
Is there a free hacking software for Windows? Like the one you use in Linux but then for Windows?
There are actually some commercial vendors that do monitor for this kind of stuff (RiskIQ being one), it's not cheap, but it does do a decent job of detecting this.
This is as powerful as giving Blue tick for 8$ and achieve any identification and status with a unethical or biased thoughts
As a front end developer, I understand nothing from the code you wrote
He was doing that in Linux terminal, that's not back end Programming
@@Ali-lm7uw thanks bro
@@developer_hadi yeah, that's bash scripting when using Linux. I am front and back dev too but have to look up the Linux commands always
@@Ali-lm7uw I have windows, if I installed linux can I still install cracked apps?
@@Ali-lm7uw because I'm using a cracked photoshop and illustrator versions, I don't know if I could do that on linux
Thanks for the video Chuck! It will definitely all the website developers!
Thank you for this very informative video, so could you please do a video on the best method to secure DNS and a site? Thanks.
Don't create cname entries in your dns for domains that you don't control
Cloudflare
Hey bro, love your content a lot
No worries man, I've always been here watching your better content
I love your content so much chuck
Sorry I don't understand the part that you created file called fun html.
LESGOOO FIRST COMMENT! keep the vids coming love your content
is it possible to takeover the maindomain from a subdomain ?
Greets
thought the same thing
i'm surprised GitHub makes usernames available after only 90 days it should be 365 days same with all socials or logins minimum
Great video, please coninue making these kinds of videos
How to get the takeover tool. I didn't find in github
second
That's something big companies wouldn't do. Nice video, but no big company would do this.
You would need to know that the GETHUB was available and a DNS record was pointing to it....highly unlikely to happen.
Did you watch the video?
This is terrifying.
It just misses the point on why this can be so effective - if the original creator of the website links it IN his website, it's legit in the eyes of end-user and little to no precaution is taken.
So cool content and so less likes. Shame in you guys. Thanks for this.
The problem is, this requires the targets to be a bit stupid...
all of this because github can't fkkking clear the dns setting when the account is deleted
I don't know how that works precisely, but wouldn't they have to have valid SSL certificates? They could likely get one easy enough, but even for my small domain I get warnings of certificates are issued, so I'd notice if an certificate is issued without it being from me or my services.
EDIT: Yup, going by you completing a DNS Challenge you had to get a certificate so that'd protect me.
Also I don't point any of my subdomains to some route out of my control, so even not looking for certificates I should be fine as long as that's the case. And even if I do that, these will be the only kind of subdomains attack able with that exploit.
I think the way he showed it from here, you will be using GitHub's certificate? because he points your website to a GitHub website. If you want to know, you can follow his method to find out.
loved your all content sir
You are better than any AI !
Great video as always. I notice that you display the ANM27T! I just got some too!
what happens if I go to a suspicious link and it crosses out and clears the log, can the page still retrieve data?
don't have one, jokes on them 😅.
Another video by chuck
Thank Goodness
Now this is something of my interest
It's always DNS accept when it's a buffer overflow.
Its always DNS when something bad happens... when there is access issues, its always the network... ALWAYS!!! when I call our NOC "Oh, thats odd, just a second... okay I didnt find anything wrong, can you try again?" "wth its working now!??!" "Yeah, there was nothing over here, musta been a bug on your side" This is every convo with a network admin ever... they always fix a little mistake they found but never fess up to it...
Bro can i use kali as main OS
If a hacker hacks my website, I’d let them have it :) I don’t have a website. They were pranked!
MrBeast Gaming Hoodie. Like a KING
CodeSec!! 🎉
On ANM27T go long when the sell pressure reduce.
Very very interesting video, sir puted in a very cool and funny way :)
You got a sub from me!
Love your videos. Always awesome.
Something I have always been curious about. What do you use to draw on your desktop?
I love how on a how to hack channel, an impersonator of network chuck tried to get me to IM him.
I don't think so idiot.
He uses a graphics tablet on Photoshop, with a green background. Then keys the green out in post.
Or at least he used to!
I have a question.
Is this DNS rebinding?
make a course on ceh practical
Will you make any research videos about ANM27T
Please make videos on (Bug Bounty) techniques..........
Thank you sir for another great video, been getting much great lesson from your channel 👍
I bet you are...
7:47 Just use A records where possible.
Love your videos ❤
Keep going men I love your content it's very helpful thank you ♥️
Whats the name of the software with e green W
TakeOver Script is not available on this user where can i find this exact script?
What's better holding into crash or being safe with ANM27T tell me
Did mr. Beast sponsor this video btw i love your video
ANM27T at less than $1. is like BTC at $100. When ANM27T finally blows it's gonna be epic.
This week is hell and a bloodbath can happen but why we don't discuss the fact that Amazon also released their ANM27T in it? Always two sides of a coin
I'm loving this!!
Great vid. subfinder, sublist3r, findomain, assetfinder, subjack and subzy can be used for that purpose too. :)
FBI I just watch for my school project, don't be so mean
😅😅😅
super cool video. Can i get the name of the backgroud music? Please?
how to clear or delete came record is that possible ?
Nice hairstyle bro!
Same thing I did to take over Facebook account in old days. when an email IDs gets deleted because u didn't logged in for 6 month 😆
Me watching Network Chuck has Beast Gaming Hoodie 😂
Something happen same, I was deleted my insta account but next mont i realized that someone could access it and following a lot of people I don't know. i don't know what i should do in this case😪
I didnt know about this, looks scary.
@NetworkChuck - You mention this is untraceable a few times. Off the top of my head, you could get insight via:
1) DNS Token canary (alert when hostname is requested).
2) URL Token canary (alert when URL is visited).
Q - Any way to mitigate this with server side permissions or CloudFlare ?
I used a PDF canary to track a document (as there was a suspected bad actor) and was able to then get public IP's and some geo data from the WAN they were connected to when opening the document. Proved the suspicion, and then the Executives got talking to the lawyers / police etc.
2:57 "Fastest a$$. Fast a$$ is fast." bruh, my a$$ is pretty fast tysm :D
Wow superb Boss 👍👍
That’s not hacking. There should be a term specifically for this let’s call it misconfiguring.
What about dnssec?
Dnssec wouldn't protect against this. The problem is that the name server trusts the website because the owner inputed that in. Since the name server trusts it, all dns servers would also trust it. Even if they use dnssec.